Sunday, 15. January 2017

Rasbpian: Insecure and not trusted!


Not only is Raspbian intentionally without any way to verify integrity of download (hashes not signed), employee of Raspberry PI own admission states basically states they fear using secure crypto out of fear of being "uncompliant" with some "crypto export laws".

I work for Raspberry Pi. As for using SHA-256 over SHA-1, that then pushes the hash into the realm of crypto software which is controlled by export regulations - given the minuscule chance of collisions with SHA-1, it would cause far more problems than it solves to use SHA-256.

reddit.com

... Comment